EP4295545A1 - Système et procédé permettant un débit et une extensibilité augmentés - Google Patents

Système et procédé permettant un débit et une extensibilité augmentés

Info

Publication number
EP4295545A1
EP4295545A1 EP22756726.0A EP22756726A EP4295545A1 EP 4295545 A1 EP4295545 A1 EP 4295545A1 EP 22756726 A EP22756726 A EP 22756726A EP 4295545 A1 EP4295545 A1 EP 4295545A1
Authority
EP
European Patent Office
Prior art keywords
transit
gateway
gateways
network
gateway cluster
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP22756726.0A
Other languages
German (de)
English (en)
Inventor
Xiaobo Sherry Wei
Praveen Vannarath
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aviatrix Systems Inc
Original Assignee
Aviatrix Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aviatrix Systems Inc filed Critical Aviatrix Systems Inc
Publication of EP4295545A1 publication Critical patent/EP4295545A1/fr
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/24Multipath
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/46Cluster building

Definitions

  • Embodiments of the disclosure relate to the field of networking. More specifically, one embodiment of the disclosure relates to a network architecture configured to support increased gateway scalability and system throughput to mitigate communication disruptions, especially between virtual private clouds (VPCs) within a public cloud network.
  • VPCs virtual private clouds
  • IaaS Infrastructure as a Service
  • cloud computing platform e.g., public cloud network
  • software components e.g., virtual machines instances such as virtual servers
  • VPCs virtual private cloud networks
  • a virtual private cloud network is an on-demand, configurable pool of shared resources, which are allocated within the cloud computing platform and provide a certain level of isolation between the different organizations or other entities (hereinafter, “users”) using the resources.
  • IP Internet Protocol
  • AVS® Amazon® Web Services
  • EC2 Amazon® Elastic Compute Cloud
  • Azure® provides different types of virtual machines.
  • peering constitutes an establishment of private IP -based, peer-to-peer communications between resources within separate VPCs for the purpose of routing data traffic as requested.
  • these private peer-to-peer communications include a primary communication link and a high availability (HA) communication link.
  • the HA communication link was operational in response to a “failover” condition.
  • each gateway included in a private “spoke” VPC i.e., a private VPC responsible for maintaining a subnet of application instances operating within the cloud network
  • a private VPC responsible for maintaining a subnet of application instances operating within the cloud network
  • transit VPC a computing device located in an on premises network
  • a first operational constraint is that the cloud computing platform, based on current cloud network provider policies, only allows for a limited number of Private IP -based communication links between VPCs (e.g., 100 private IP communication links). Therefore, a traffic bottleneck is created as more data traffic flows through the transit VPC. Without any changes to the cloud network provider policies, which are not controlled by the cloud customer, these bottleneck conditions will continue and become more problematic as more resources are migrated to the cloud and no additional Private IP -based communications links are made available.
  • a second operational constraint is realized because, due to data traffic management complexities, each gateway included in a private spoke VPC is configured to only support two private IP -based communication links that are directed to a pair of neighboring gateways.
  • An architecture design change in needed to reduce management complexity to allow for a greater number of gateways operating within the same VPC.
  • FIG. 2 is an exemplary embodiment of private IP -based, peer-to-peer communications between gateway clusters deployed within multiple spoke VPCs and a gateway cluster deployed within the transit VPC.
  • FIG 3 is an exemplary embodiment of a layered transit VPC to support increased scalability of spoke VPCs.
  • FIG. 4 is an exemplary embodiment of interface logic deployed within an on-premises network to overlay operability of a physical router controlling communications with the on premises network.
  • FIG. 5 is an exemplary embodiment of egress operability of the on-premises interface logic of FIG. 4.
  • FIG. 6 is an exemplary embodiment of ingress operability of on-premises interface logic of FIG. 4.
  • VPC virtual private cloud network
  • on- prem on-premises
  • the transit VPC may feature a gateway cluster including multiple (two or more) gateway pairs.
  • the transit VPC may be configured with a layered gateway cluster configuration.
  • interface logic associated with an on-prem network may be configured with a gateway cluster and Equal-Cost Multi-Path controlled (ECMP-controlled) switching.
  • a first type of cloud-based networking infrastructure supports a one-to-many communication link deployment (e.g., criss-cross peering), where each spoke gateway supports multiple, active peer-to-peer communication links to different transit gateways.
  • the peer- to-peer communication links may constitute cryptographically secure tunnels, such as tunnels operating in accordance with a secure network protocol.
  • IPSec Internet Protocol Security
  • peer-to-peer communication links may be referred to as “IPSec tunnels.”
  • IPSec tunnels a second type of cloud-based networking infrastructure may be configured to operate as a private cloud network that supports the routing of messages between the transit VPC and one or more spoke VPCs while a local networking infrastructure may be configured to support the routing of messages within the on-prem network.
  • ECMP equal cost multi-path
  • the routing path selection via the gateways within the VPCs may be accomplished through the ECMP routing strategy, namely next-hop message forwarding to a single destination can occur over multiple “best” paths that are determined in accordance with an assigned ECMP metric.
  • the IPSec tunnels associated with a gateway e.g., spoke gateway or transit gateway
  • loading balancing may not be based on ECMP; rather, load balancing is achieved through an assignment of weights such that different tunnels may be assigned with different weights, based on one or a combination of factors such as bandwidth, preference, or the like.
  • load balancing is achieved through an assignment of weights such that different tunnels may be assigned with different weights, based on one or a combination of factors such as bandwidth, preference, or the like.
  • the gateway that relies on the IPSec tunnel may update its gateway routing table autonomously by disabling (bring down) a tunnel interface (e.g., virtual tunnel interface) corresponding to the failed IPSec tunnel without reliance on activity by a controller that manages operability of the network.
  • a tunnel interface e.g., virtual tunnel interface
  • the gateway precludes messages from being routed through the failed IPSec tunnel to mitigate data transmission loss. Instead, the messages are routed through a selected active IPSec tunnel, which may be reassigned to communicate with all or some of the instances within a particular instance subnet.
  • a controller is responsible for managing operability of the private cloud network, including handling the configuration of one or more spoke VPCs by segregating cloud instances within each spoke VPC to particular subnets.
  • a “subnet” is a segment of a VPC’s IP address range designated to group resources (e.g., managed software instances each directed to particular functionality) based on security and operational needs.
  • each instance subnet established within a spoke VPC may be a collection of instances for that spoke VPC that are selected to communicate with a selected spoke gateway residing in the spoke VPC.
  • the gateway routing tables are relied upon by the gateways for determining which tunnels to use for propagating data traffic (e.g., messages) towards a destination (e.g., virtual tunnel interface for a destination cloud instance or computing device).
  • the gateway routing tables includes at least IPSec tunnels and perhaps secondary (e.g., GRE) tunnels between gateways within the same VPC to be used in the event that all of the IPSec tunnels have failed.
  • the analytics may constitute a one-way hash operation in which the results (or a portion of the results) are used to select a particular ECMP link in the routing table to transmit of the data traffic.
  • the network architecture is selected to provide greater system throughput, especially by reconfiguration of the transit gateway cluster.
  • the terms “logic” and “computing device” is representative of hardware, software or a combination thereof, which is configured to perform one or more functions.
  • the logic may include circuitry having data processing or storage functionality. Examples of such circuitry may include, but are not limited or restricted to a microprocessor, one or more processor cores, a programmable gate array, a microcontroller, an application specific integrated circuit, wireless receiver, transmitter and/or transceiver circuitry, semiconductor memory, or combinatorial logic.
  • non-transitory storage medium may include, but are not limited or restricted to a programmable circuit; a semiconductor memory; non-persistent storage such as volatile memory (e.g., any type of random access memory “RAM”); persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device.
  • volatile memory e.g., any type of random access memory “RAM”
  • persistent storage such as non-volatile memory (e.g., read-only memory “ROM”, power-backed RAM, flash memory, phase-change memory, etc.), a solid-state drive, hard disk drive, an optical disc drive, or a portable memory device.
  • the logic may operate as firmware stored in persistent storage.
  • VPC routing table(s) A VPC routing table may be used to associate spoke gateways within each VPC with one or more different instance subnets. Load balancing is achieved by assigning equal cost multi-path (ECMP) routing parameters to each of the gateways. Therefore, the VPC routable table requires no programming unless the gateway becomes disabled (i.e., goes down), where the VPC routing table may be remapped based on the results of a 5-tuple analytics mapped to the remainder of the active gateways within the VPC.
  • ECMP equal cost multi-path
  • IP Sec tunnels Secure peer-to-peer communication links established between gateways of neighboring VPCs or between gateways of a VPC and a router of an on-prem network.
  • the peer-to-peer communication links are secured through a secure network protocol suite referred to as “Internet Protocol Security” (IPSec).
  • IPSec Internet Protocol Security
  • M x N IPSec tunnels are created between the spoke VPC and the transit VPC to form the full-mesh network.
  • VTI virtual tunnel interface
  • VTI states are represented by VTI states.
  • Transmission medium A physical or logical communication path between two or more electronic devices.
  • wired and/or wireless interconnects in the form of electrical wiring, optical fiber, cable, bus trace, or a wireless channel using infrared, radio frequency (RF), may be used.
  • RF radio frequency
  • the scalable network 110 is configured to provide enhanced throughout between at least a first VPC (hereinafter, “spoke VPC”) 120 and a second VPC (hereinafter, “transit VPC”) 130 within the public cloud computing platform 100.
  • spoke VPC hereinafter, “spoke VPC”
  • transit VPC second VPC
  • FIG. 1 two spoke VPCs 120 and 121 and one transit VPC 130 are illustrated in FIG. 1, it is contemplated that multiple spoke VPCs and multiple transit VPCs may formulate the construct of the scalable network 110 as shown in FIG. 3.
  • the spoke VPC 120 is configured with multiple VPC subnetworks 145 (hereinafter, “subnets”), where each of these subnets 145 includes different cloud application instances.
  • Each of the instance subnets 145i..., or 145p (P>2) is configured, in accordance with a VPC routing table 150, to exchange data traffic with a selected gateway of a set of (e.g., two or more) gateways 125 maintained in the spoke VPC 120.
  • these gateways 125 are referred to as “spoke gateways” 125.
  • the spoke VPC 121 may be deployed in a similar configuration with spoke gateways 126.
  • a controller 160 for the scalable network 110 may be configured to manage communication links between the instance subnets 145i-145p and the set of spoke gateways 125 as represented by the VPC routing table 150, which is initially programmed to identify which of the spoke gateways 125 is responsible for interacting with which of the one or more instance subnets 145i..., or 145p (e.g., to receive message(s), forward message(s), etc.).
  • the same operability described for spoke VPC 120 also applies for spoke VPC 121.
  • the scalable network 110 may be accomplished by peering the set of spoke gateways 125, deployed within the spoke VPC 120, to a gateway cluster 132 deployed within the transit VPC 130 via peer-to- peer communication links 170.
  • the gateway cluster 132 includes at least two pairs of transit gateways.
  • the set of spoke gateways 126 deployed within the spoke VPC 121 may be communicatively coupled via peer-peer communication links 172 to the transit gateways of the gateway cluster 132.
  • the transit gateway cluster 132 of the transit VPC 130 may be communicatively coupled, via peer-to-peer communication links 174, to interface logic 180 of the on-prem network 190.
  • the interface logic 180 features a gateway cluster 182 along with Equal-Cost Multi -Path controlled (ECMP-controlled) switching logic 184, which constitute logic that overlays a router (not shown) and controls connectivity between the on-prem network 190 and the transit VPC 130.
  • the switching logic 184 controls selection of one of the gateways within the gateway cluster 182 to assist in the handling of ingress and/or egress communications between a cloud appliance instance deployed within one of the instance subnets 145 and the computing device 195.
  • the scalable network 110 may be accomplished by peering the spoke gateways 125 deployed within the spoke VPC 120 to the transit gateway cluster 132 deployed within the transit VPC 130. More specifically, according to one embodiment of the disclosure, the spoke gateways 125 may include a set (e.g., two or more) of spoke gateways 200 I -200 M (M>2) deployed within the spoke VPC 120.
  • the transit gateway cluster 132 includes at least two pairs of “transit gateways” 210 I -210 N (N>4) communicatively coupled via the peer-to-peer communications 170 to the spoke gateways 200 I -200 M .
  • the transit gateways 210 I -210 N are represented by a total of six transit gateways 210 I -210 6 , although it is contemplated that four or more transit gateways may be deployed as the transit gateway cluster 132 to provide additional throughput for communications from/to the spoke VPCs 120 and 121.
  • the spoke gateways 2OO 1 -2OO 4 are configured for communications with transit gateways 210 I -210 6 via the peer-to-peer communication links 170, namely peer-to-peer communication links 230n-230 46 .
  • each spoke gateway e.g., spoke gateway 200i, where l ⁇ i ⁇ 4
  • spoke gateway 200i is communicatively coupled to each of the transit gateways 210 I -210 6 via multiple, active peer-to-peer communication links 230n-230i 6 .
  • M x N IPSec tunnels 230H-230MN are created between the spoke VPC 120 and the transit VPC 130.
  • the IPSec tunnels 230n-230 26 may be established and maintained through gateway routing tables 240 I -240 2 dedicated to each of the spoke gateways 2OO 1 -2OO 2 , respectively.
  • the second spoke gateway 2OO 2 is communicatively coupled to both the first transit gateway 210i via IPSec tunnel 23O 21 as the second-sixth transit gateways 2102-2106 via IPSec tunnel 23022-21026.
  • each spoke gateway 200i and 2OO 2 is communicatively coupled to each of the transit gateways 210 I -210 6 via multiple, active peer-to-peer communication links 230n-210i6 and 23O21-2IO26, respectively
  • the management of the IPSec tunnels 230n-230i6 and 23021-23026 may be accomplished through gateway routing tables 240 I -240 2 maintained by each of the respective gateways 2OO 1 -2OO 2.
  • the same connective architecture is applicable between the spoke gateways 2OO3-2OO4 and transit gateways 210I-2106.
  • each transit gateway 210 j may be configured to support multiple active peer-to-peer communication links with gateways with the gateway cluster 182 of the on-prem network 190.
  • the transit VPC 130 includes “N” transit gateways 210I-210N in communications with a plurality of on-prem gateways
  • multiple IPSec tunnels e.g., N x # on-prem gateways
  • the IPSec tunnels may be established and maintained through transit gateway routing tables dedicated to each of the transit gateways 210I-210N.
  • the layered transit VPC 300 includes a first communication path 320 between the first transit gateway cluster 310 and the second transit gateway cluster 310, a second communication path 330 between the second transit gateway cluster 312 and the third transit gateway cluster 314, and a third communication path 340 between the first transit gateway cluster 310 and the third transit gateway cluster 314.
  • the communication paths 320, 330 and 340 are formed with a portion of the private, peer-to-peer communication links reserved for the scalable network 110.
  • the scalable network 110 is assigned a predetermined number (A) of private, peer-to-peer communication links for use by transit gateway clusters 310, 312 and 314. If the communication links were used in their entirety for communications with spoke gateways, a transit gateway cluster including “B” transit gateways would support “C” spoke gateways (C ⁇ A/B). However, for a layered transit VPC 300, a prescribed number of these “A” peer-to- peer communication links are reserved for inter-communications between the transit gateway clusters 310, 312 and 314 over communication paths 320, 330 and 340.
  • the interface logic 180 features the gateway cluster 182 along with the first ECMP-controlled switch 420 and the second ECMP-controlled switch 430 operating with the router 440.
  • egress communications 500 such as a message from computing device 195 for example, is received by the router 440 (operation A 510).
  • the router 440 forwards the message 500 to the first ECMP-controlled switch 420 (operation B 520).
  • the first ECMP-controlled switch 420 performs ECMP -based computations on the metrics associated with each the gateways 400i-400s within the gateway cluster to select one of the gateways 400i... or 400s.
  • the first ECMP-controlled switch 420 encrypts the message 500 to generate an encrypted message 505 to provide to the selected gateway such as gateway 400 2 for example (operation C 530). Thereafter, the first ECMP-controlled switch 420 forwards the encrypted message 505 to the selected gateway 400 2 (operation D 540).
  • the interface logic 180 features the gateway cluster 182 along with the first ECMP-controlled switch 420 and the second ECMP- controlled switch 430 operating with the router 440.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne une architecture de réseau comprenant un réseau de nuage privé virtuel de transit en couches et une logique d'interface qui commande la sortie et l'entrée de messages entre le VPC de transit et un réseau local. Premièrement, le VPC de transit en couches comprend une première grappe de passerelles de transit couplée en communication à un ou plusieurs VPC satellites à des fins de réception de messages provenant d'instances de nuage et une seconde grappe de passerelles de transit couplée en communication au réseau local. Le VPC de transit en couches prend en charge une extensibilité augmentée des VPC satellites. Deuxièmement, la logique d'interface est configurée pour fonctionner conjointement avec une grappe de passerelles qui commande l'exploitabilité d'un routeur par au moins une commande de propagation de messages dans ou depuis le réseau local par le biais d'une ou de plusieurs passerelles sélectionnées formant la grappe de passerelles.
EP22756726.0A 2021-02-22 2022-02-11 Système et procédé permettant un débit et une extensibilité augmentés Pending EP4295545A1 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US202163152291P 2021-02-22 2021-02-22
US202117395428A 2021-08-05 2021-08-05
PCT/US2022/016074 WO2022177808A1 (fr) 2021-02-22 2022-02-11 Système et procédé permettant un débit et une extensibilité augmentés

Publications (1)

Publication Number Publication Date
EP4295545A1 true EP4295545A1 (fr) 2023-12-27

Family

ID=82930965

Family Applications (1)

Application Number Title Priority Date Filing Date
EP22756726.0A Pending EP4295545A1 (fr) 2021-02-22 2022-02-11 Système et procédé permettant un débit et une extensibilité augmentés

Country Status (2)

Country Link
EP (1) EP4295545A1 (fr)
WO (1) WO2022177808A1 (fr)

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9401818B2 (en) * 2013-03-15 2016-07-26 Brocade Communications Systems, Inc. Scalable gateways for a fabric switch
US11153122B2 (en) * 2018-02-19 2021-10-19 Nicira, Inc. Providing stateful services deployed in redundant gateways connected to asymmetric network
US11165828B2 (en) * 2019-02-28 2021-11-02 Cisco Technology, Inc. Systems and methods for on-demand flow-based policy enforcement in multi-cloud environments

Also Published As

Publication number Publication date
WO2022177808A4 (fr) 2022-11-17
WO2022177808A1 (fr) 2022-08-25

Similar Documents

Publication Publication Date Title
EP3815311B1 (fr) Utilisation intelligente d'appairage dans un nuage public
US11388227B1 (en) Multi-cloud active mesh network system and method
US10491466B1 (en) Intelligent use of peering in public cloud
CN107196813B (zh) 用于自组织二层企业网络架构的方法和装置
US7486659B1 (en) Method and apparatus for exchanging routing information between virtual private network sites
EP3119047B1 (fr) Procédé, appareil et système d'équilibrage de charge
US7590074B1 (en) Method and apparatus for obtaining routing information on demand in a virtual private network
US11924004B2 (en) Link configuration method and controller
EP2289206A2 (fr) Interconnexion de centre de données et ingénierie de trafic
US20190222511A1 (en) Randomized vnf hopping in software defined networks
US10462630B2 (en) Network-based machine-to-machine (M2M) private networking system
US11943223B1 (en) System and method for restricting communications between virtual private cloud networks through security domains
US11824777B1 (en) System and method for automatic appliance configuration and operability
WO2022177808A1 (fr) Système et procédé permettant un débit et une extensibilité augmentés
US11502942B1 (en) Active mesh network system and method
CN117223261A (zh) 用于增加的吞吐量和可扩展性的系统和方法
EP4348947A1 (fr) Système et procédé de réseau maillé actif multi-nuage
US20240179027A1 (en) Link configuration method and controller
US11916883B1 (en) System and method for segmenting transit capabilities within a multi-cloud architecture
US11855896B1 (en) Systems and methods for load balancing network traffic at firewalls deployed in a cloud computing environment
US11843539B1 (en) Systems and methods for load balancing network traffic at firewalls deployed in a cloud computing environment
US20240129232A1 (en) Systems and methods for load balancing network traffic at firewalls deployed in a cloud computing environment
US20230337113A1 (en) Managing multiple transit gateway routing tables to implement virtual routing and forwarding functionality
WO2023244853A1 (fr) Liaison de communication haute performance et procédé de fonctionnement
CN117203938A (zh) 用于分割多云架构内的中转能力的系统和方法

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20230922

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR